Fiddler 4 – Linux mono install configuration and testing

Fiddler is fun to use for many reasons, mostly because unlike WireShark or tcpdump for example you get a much nicer visual as to what you are looking at whether you are analysing some malware or just being paranoid about what a site is doing when you visit it. You will get a better understanding as to what traffic which is ingressing (Entering) and egressing (Leaving) your system are up to. Fiddler isn’t just for your browser, it will also see the traffic of system processes, web browsers and non-browsers.

You can install what is now Fiddler 4.0 easily by doing what is outlined below on your system.

Instructions for configuring mono (similar to wine) and using Fiddler can be found here.

Downloading fiddler is as simple as running wget on http://ericlawrence.com/dl/MonoFiddler-v4484.zip like so below

Create a folder for Fiddler in your user directory first
mkdir ~/Fiddler
cd ~/Fiddler
wget http://ericlawrence.com/dl/MonoFiddler-v4484.zip

01_Fiddler_4

01_Fiddler_4

unzip MonoFiddler-v4484.zip

02_Fiddler_4_unzip

02_Fiddler_4_unzip

Next download and install mono from Xamarin directly as this gets around any issues from installing directly from the software repository like I did previously which although is quite easy and simple leads to issues with HTTPS connections breaking a lot and it gets quite annoying.

Paste the following snippet below into the terminal in order to install the Xamarin version of mono as seen here.

sudo apt-key adv –keyserver hkp://keyserver.ubuntu.com:80 –recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo “deb http://download.mono-project.com/repo/debian wheezy main” | sudo tee /etc/apt/sources.list.d/mono-xamarin.list
sudo apt-get update

03_Fiddler_4_mono_xamarin_install

03_Fiddler_4_mono_xamarin_install

After apt-get update has run you are now good to install mono-complete as you would normally through apt-get

apt-get install mono-complete

04_Fiddler_4_mono_complete_install

04_Fiddler_4_mono_complete_install

This should finish without error

05_Fiddler_4_mono_complete_install_without_error

05_Fiddler_4_mono_complete_install_without_error

Now to start Mono for the first time you just need to run mono followed by the Fiddler.exe

mono Fiddler.exe

06_Fiddler_4_mono_starting_first_time

06_Fiddler_4_mono_starting_first_time

You will then hopefully see something like this appear once it has loaded for the first time

07_Fiddler_4_mono_loaded_first_time

07_Fiddler_4_mono_loaded_first_time

Now for some configuration so that we can decrypt the HTTPS traffic on the system by going to tools –> Fiddler Options as outlined below

08_Fiddler_4_Options

08_Fiddler_4_Options

Under the HTTPS heading choose to “Decrypt HTTPS traffic” which will then present you with the following pop up window. Just click OK to continue.

09_Fiddler_4_Options_Decrypt_SSL

09_Fiddler_4_Options_Decrypt_SSL

Click the button below “Export Root Certificate to desktop” and click OK to continue, this will do exactly as it suggests and copy the Fiddler Root Certificate directly to the desktop for you for your convenience in the next few steps.

10_Fiddler_4_Options_Decrypt_HTTPS_export_to_desktop

10_Fiddler_4_Options_Decrypt_HTTPS_export_to_desktop

Next in Firefox go the preferences –> Advanced –> Certificates –> View certificates

11_Fiddler_4_Firefox_Options_Certificates

11_Fiddler_4_Firefox_Options_Certificates

Under the Authorities tab choose import and select and import your Fiddler root certificate from the desktop and choose to trust it for websites and click OK

12_Fiddler_4_Firefox_Options_Certificates_trust_websites

12_Fiddler_4_Firefox_Options_Certificates_trust_websites

Next while still in the Firefox advanced configuration page click on networking and then click settings opposite “Configure how Firefox connects to the Internet”

13_Fiddler_4_Firefox_Options_Proxy_configuration

13_Fiddler_4_Firefox_Options_Proxy_configuration

Modify your proxy configuration to the same as mine below and click OK

14_Fiddler_4_Firefox_Options_Proxy_configuration_modified

14_Fiddler_4_Firefox_Options_Proxy_configuration_modified

At this point you might as well restart your system to make sure all the changes that you made are persistent and will keep after a reboot which they should.

Now that you have everything persistent and working correctly you can start playing around with your network traffic. Let’s look at two different encrypted HTTPS searches and perform a search query with both Google and DuckDuckGo and see if we can find our searches 🙂

For the test all you need to do is open up your browser and perform a search for your keyword, my keywords in this case will be the opposite search engine names. I have also clicked on the Decode button which will decode traffic for us and make it even more human readable than it is normally.

As you can see below I have Firefox open and have performed a search query on DuckDuckGo.com for the keyword “google”. The traffic is encrypted though so we shouldn’t be able to see this traffic normally.

15_Fiddler_4_Firefox_Decrypting_DuckDuckGo_HTTPS__Search_Query

15_Fiddler_4_Firefox_Decrypting_DuckDuckGo_HTTPS__Search_Query

As you can see the search query is easily discovered under the Raw tab to the right with the search query at the bottom 🙂

16_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query

16_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query

You can also see this under the HexView

17_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query_HexView

17_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query_HexView

WebForms view

18_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query_WebForms

18_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query_WebForms

TextView

19_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query_TextView

19_Fiddler_4_Firefox_Decrypted_DuckDuckGo_HTTPS__Search_Query_TextView

Quite cool isn’t it but surely this won’t work against Google? Or at least that’s what you’re probably led to believe anyway as they use HTTPS now like other sites and nobody could possibly intercept that and decode it could they?

Well what did you just see above? Exactly that, it didn’t say Google but it was using HTTPS in order to secure the transmission of your search query. You may or may not be surprised however to discover that everything you type into Google’s search query is actually transmitted even if you haven’t submitted the search query by clicking enter or hitting the search button!

Creepy isn’t it, all those searches you cleared before hitting search were transmitted to Google for storage for the rest of your life.

20_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query

20_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query

Looking at all the areas as covered above for DuckDuckGo you will see your query submitted and searched for via Googles search in the same places. I will however only cover the Raw section for this search as you already know what exists in the others as you are trying this yourself anyway I hope so as not to just believe what you are seeing. Never trust anything outright and always try something yourself before accepting something is a certain way.

You can see the Raw output below

21_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Raw

21_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Raw

Cool isn’t it? Fiddler is brilliant for discovering Indicators of Compromise (IOC’s) about malicious domains really quickly and easily too. Some malware is aware of Fiddler though like most other tools used for analysis so keep that in mind. It has a lot more power under the hood than what I just covered so play around with it and see for yourself.

Type in a query and see if you can see your query as you typed it in stages depending on your speed

22_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_1

22_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_1

23_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_2

23_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_2

24_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_3

24_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_3

25_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_4

25_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_4

26_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_5

26_Fiddler_4_Firefox_Decrypted_Google_HTTPS_Search_Query_Stage_5

Do you see what the significance of the above WebForm tab screen-shots is?

Have fun 🙂